Tencent’s Zhuque Lab scanned nearly 50,000 skills on ClawHub, OpenClaw’s official skill marketplace, and found that attackers have moved well beyond brute-force malware. The new generation of malicious skills passes every layer of platform security detection, including regular expression scanning, prompt injection checks, LLM assessment, and VirusTotal, according to the Tencent research report published in April and newly cited by Cyber Security News on June 29.
The Ranking Manipulation Attack
The most alarming finding involves a vulnerability discovered by the Silverfort research team in March 2026. Silverfort found that anyone could send an unauthenticated request to ClawHub’s backend to artificially inflate download counts for any skill. To prove the risk, Silverfort released a skill disguised as “Outlook Graph Integration,” embedded a data-theft payload disguised as telemetry functionality, and then boosted it to the top of ClawHub’s search rankings by inflating its download numbers.
The attack worked on agents, not just humans. When OpenClaw agents autonomously select tools, they prioritize skills with the highest download counts. The manipulated ranking caused malicious skills to automatically install on agents without any human intervention, according to Tencent’s analysis. In Tencent’s framing: “ranking manipulation is tantamount to mass poisoning.”
Remote Control Backdoor That Passed Official Testing
Tencent’s audit also identified a skill that passed ClawHub’s full multi-layer security checks while functioning as a remote control backdoor. The skill described itself as a “distributed state recovery tool” with professional documentation, architecture diagrams, and reasonable permission requests. Its Python script retrieved a serialized object from a remote command-and-control server, decoded it through up to 12 chained encoding layers (Base64, ROT13, Morse code, and others), and then used Python’s pickle deserialization to execute arbitrary code on the host machine.
No malicious commands appeared anywhere in the code. The attacker only needed to upload instructions to the C2 server, and the skill would execute them after the connection was established. The entire chain, remote payload fetch, multi-layer encoding, and insecure deserialization, passed ClawHub’s security checks because each individual action appeared legitimate, according to Tencent’s report.
Tencent’s own AIG testing platform flagged the skill as high-risk by analyzing whether individual actions could combine into a complete attack chain, rather than pattern-matching against known threats.
The Growth Problem
ClawHub went from fewer than 2,000 skills in January 2026 to over 50,000 by April. In late January, the ClawHavoc incident saw 1,184 malicious skills distributed through 12 compromised publisher accounts, leading to 247,000 confirmed installations and $2.3 million in stolen cryptocurrency, according to Tencent. ClawHub added security detection mechanisms in February, but Tencent’s April audit shows those defenses cannot keep pace with the evolving attack surface.
OWASP acknowledged the severity in April by releasing the Top 10 Agentic Skills (AST10), the first time the security industry formally classified agent skills as a distinct and more dangerous attack surface than plugins or extensions, per the Tencent research.
The Autonomous Installation Problem
The core architectural risk is that agents select and install skills autonomously. When ranking systems can be manipulated and payloads can hide inside seemingly legitimate functionality, the security model shifts from defending against visible threats to defending against tools that look, read, and behave normally until they receive instructions from an external server.
As Coolc, head of Tencent’s security platform department, put it: “The real question isn’t what was discovered during the sweep, but rather: does this ecosystem still have an effective immune system?”
For any team running OpenClaw agents in production, the findings suggest that download count and marketplace ranking should not be treated as trust signals. Skills that request network access and code execution together warrant manual review regardless of how professional their documentation appears.